CVE-2025-71260
Published: 19 March 2026
Summary
CVE-2025-71260 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Bmc Footprints Itsm. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability (CWE-502) in the ASP.NET servlet's VIEWSTATE handling. The flaw permits authenticated attackers to supply crafted serialized objects via the VIEWSTATE parameter, resulting in arbitrary code execution that fully compromises the application. The issue carries a CVSS 4.0 score of 8.7 reflecting network attack vector, low complexity, and low privileges required.
An attacker with valid credentials can exploit the weakness to achieve remote code execution and take complete control of the affected ITSM instance. Because the vector requires authentication but no user interaction, the attack can be launched from any reachable network position once valid session credentials are obtained.
Official remediation is provided through the listed hotfixes for each affected release branch, including 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01, as detailed in BMC release notes and corroborated by VulnCheck and WatchTowr advisories.
EPSS for the CVE has risen from lower values to a peak of 0.3659 (current 0.3033), indicating emerging exploitation interest after disclosure that warrants renewed attention from defenders.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208877
Vulnerability details
BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001 contain a deserialization of untrusted data vulnerability in the ASP.NET servlet's VIEWSTATE handling that allows authenticated attackers to execute arbitrary code. Attackers can supply crafted serialized objects to the VIEWSTATE parameter to achieve…
more
remote code execution and fully compromise the application. The following hotfixes remediate the vulnerability: 20.20.02, 20.20.03.002, 20.21.01.001, 20.21.02.002, 20.22.01, 20.22.01.001, 20.23.01, 20.23.01.002, and 20.24.01.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization vulnerability in ASP.NET VIEWSTATE of network-accessible BMC FootPrints ITSM enables authenticated remote code execution, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the listed hotfixes that remediate the deserialization flaw in VIEWSTATE handling.
Mandates validation of input data, which would block crafted serialized objects supplied via the VIEWSTATE parameter.
Requires integrity verification of software and information, helping ensure only trusted code executes after deserialization.